Over half of firms favour hybrid working, yet are unaware of cyber attacks and data breaches occurring remotely
- 1 in 5 employees have closed more deals while working remotely
- Half of firms say they have not had a cyber attack or data breach since March 2020 lockdown
- Yet over 40% of employees admit to having emailed confidential information during this period
- A quarter of employees have experienced or caused a data breach
- 1 in 7 employees have been subject to a phishing attack or similar cyber attack
- 1 in 5 firms say a cyber or data breach could cost the company from £10m – £50m or more
29th March 2021, London: 42% of UK financial services and law firms admit to having inadequate cyber threat visibility and detection systems to protect employees working remotely, with firms unaware of the volume of cyber attacks and data breaches impacting their remote workforce, according to new research.
A third of firms feel that their IT environment is more vulnerable to a cyber or data breach with employees working outside the office, yet 56% of firms expect the hybrid office to stay.
The study, which examined the cyber and data security practices of 3000 UK firms and 2000 employees in private equity, asset management, insurance & underwriters and corporate law since the start of the pandemic, found that 1 in 5 employees are closing more deals and winning more business when working remotely with a third attributing this to ‘being able to work faster at home.’
Employees breached while working from home, unknown to firms
52% of the firms polled by Doherty Associates for its report ‘Who Moved My Moat? The cyber security risks of home and hybrid working – what finance and law firms need to know’ say their organisation has yet to experience a cyber attack or data breach since transitioning to remote working since March 2020 lockdown.
A quarter of employees, however, said they have been the victim of a data breach or caused one themselves since working remotely, suggesting that employees are not reporting all of the mistakes they make to the firm. One in seven experienced a phishing attack or similar cyber attack and 42% admitted to emailing confidential client information or unencrypted attachments.
Only half of the firms surveyed have carried out a cyber risk assessment on their remote workplace and 25% admit, “we can’t guarantee security on every device used out of the office.” Yet one in five said the cost of a major cyber or data breach to the business could be anywhere from £10 million to £50 million or more.
“Unfortunately, attacks are common in the finance, insurance and legal sectors, particularly in this current climate of remote working, and the difference between how many firms are detecting breaches compared to the reality of them occurring does suggest that firms need better cyber defence postures that give greater visibility and detection to keep their remote workforce safe.”
Employees’ bad cyber habits
A third of employees surveyed by Doherty Associates said they’ve had no cyber awareness training since the first lockdown and over two thirds admit to ignoring virus security scan requests or computer update alerts to safeguard their company’s systems and sensitive data.
85% confess to working on a blend of work and personal devices when working out of the officewith around half admitting to saving confidential corporate information to these devices. But only 15% of firms have put a block on personal devices for work use.
Terry Doherty continued: “Operating a remote workforce in the cloud has many benefits, including greater flexibility, diversity and lower overheads, but it’s critical to ensure that teams continue to operate safely, securely and are fully compliant with FCA and GDPR regulations wherever they are working from. With the Government’s lockdown roadmap underway, employers are starting to plan for when restrictions ease with many reporting that hybrid working is here to stay. With employees working outside of the office, using a blend of personal and company devices, firms no longer have a single ‘front door’ to protect but a multitude of entry points to secure against cyber criminals. This is why it’s critical for firms to have excellent cyber hygiene.
“For maximum security but minimum disruption to teams, firms should also carry out a cyber risk assessment at least every six months, including penetration testing, to uncover any critical vulnerabilities or compliance issues. They should also ensure that all devices have multi-factor authentication, so employees keep their identity secure while working remotely. And they should build in comprehensive cyber awareness training for every employee, especially if they’re working outside of the office for the first time. Restrict use of personal devices and ensure that no company information is shared via personal cloud storage platforms where documents can easily be forgotten, and just as easily hacked.
“Your company is only as safe as your weakest link and by empowering employees with the knowledge to identify threats in real-time, they can become your greatest security asset and help prevent cyber attacks”